CVE-2015-5295Improper Restriction of Operations within the Bounds of a Memory Buffer in Orchestration API

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
5.4MEDIUMNVD
EPSS
1.6%
top 18.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Openstack HeatOpenstack Orchestration APIFedoraproject Fedora+2 more
Timeline
PublishedJan 20
Latest updateMay 14

Description

The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

NVDopenstack/orchestration_api5.0.05.0.1+1
Debianopenstack/heat< 1:6.0.0~rc3-1+3
NVDoracle/solaris11.3

Also affects: Fedora 23

Patches

Patch: bugs.launchpad.netPatch: bugs.launchpad.net

🔴Vulnerability Details

3
GHSA
GHSA-2w55-prvj-mgc2: The template-validate command in OpenStack Orchestration API (Heat) before 20152022-05-14
OSV
CVE-2015-5295: The template-validate command in OpenStack Orchestration API (Heat) before 20152016-01-20
CVEList
CVE-2015-5295: The template-validate command in OpenStack Orchestration API (Heat) before 20152016-01-20

📋Vendor Advisories

2
Red Hat
openstack-heat: Vulnerability in Heat template validation leading to DoS2016-01-19
Debian
CVE-2015-5295: heat - The template-validate command in OpenStack Orchestration API (Heat) before 2015....2015

💬Community

2
Bugzilla
CVE-2015-5295 openstack-heat: Vulnerability in Heat template validation leading to DoS [fedora-all]2016-01-19
Bugzilla
CVE-2015-5295 openstack-heat: Vulnerability in Heat template validation leading to DoS2016-01-13
CVE-2015-5295 — Orchestration API vulnerability | cvebase